Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Detecting VNC, PCAnywhere etc.

From: "Mark Spieth" <mspieth () shellserve net>
Date: Sun, 5 Aug 2001 17:04:47 -0400
PCAW RULES

misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC
PCAnywhere Attempted Administrator Login";flags: A+;
content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:1;)
misc.rules:alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC
Invalid PCAnywhere Login"; content:"Invalid login"; offset:5; depth:13;
flags:A+; classtype:unsuccessful-user; sid:511; rev:1;)
misc.rules:alert tcp $HOME_NET 5632 -> $EXTERNAL_NET any (msg:"MISC
PCAnywhere Failed Login";flags: A+; content:"Invalid login"; depth: 16;
reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:1;)
policy.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"MISC
PCAnywhere Startup"; content:"ST"; depth: 2; reference:arachnids,239;
classtype:bad-unknown; sid:566; rev:1;)
shellserve.ids:alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC
PCAnywhere Attempted Administrator Login";flags: A+;
content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:1;)
shellserve.ids:alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC
Invalid PCAnywhere Login"; content:"Invalid login"; offset:5; depth:13;
flags:A+; classtype:unsuccessful-user; sid:511; rev:1;)
shellserve.ids:alert tcp $HOME_NET 5632 -> $EXTERNAL_NET any (msg:"MISC
PCAnywhere Failed Login";flags: A+; content:"Invalid login"; depth: 16;
reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:1;)
shellserve.ids:alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"MISC
PCAnywhere Startup"; content:"ST"; depth: 2; reference:arachnids,239;
classtype:bad-unknown; sid:566; rev:1;)



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Sheahan,
Paul (PCLN-NW)
Sent: Sunday, August 05, 2001 3:53 PM
To: 'Snort-users () lists sourceforge net'
Subject: [Snort-users] Detecting VNC, PCAnywhere etc.

Hello,

A popular method used by hackers after compromising a host on your
network
is to make some type of connection back out to the Internet to gather
tools
(usually a FTP, TFTP, VNC, PCAW, Telnet connection etc). I would like to
be
able to detect this type of attempt.

I tried this using a rule to detect when certain destination ports (i.e.
5631 for PCAnywhere) are accessed, but there is one problem with this.
Since
machines connect to our web site with a random source port (i.e. 5631
which
is used by PCAnywhere), our web server replies with that source port as
the
destination port in message going back. This triggers a false positive
when
it sees 5631 as the destination port for example.

Is anyone out there checking for this type of traffic on their network,
and
if so, can you recommend a good rule?

Thanks,
Paul

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: